mustang: talking to Microsoft IIS server with "Integrated Windows Authentication"

MS IIS server has an authentication scheme called "integrated windows authentication". in order to browse pages on this kind of web server, the user needs a windows user account which is in the same domain as the web server. normally, if you are working on a windows client PC which you already login to the domain, then you can just browse the web site as if it's unprotected.

under the hood, IIS uses MS SSPI (?) to do all the authentication works with the active directory. this is known to the public world as GSS API with Kerberos. since GSS/Kerberos has been inside Java for a long time, it's fairly easy to apply it in the HTTP protocol handler. so now, you can use java to access those secret pages. the codes are still:

        URL url = new URL(url);
        InputStream ins = url.openConnection().getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(ins));
        String str;
        while((str = reader.readLine()) != null)
            System.out.println(str);
that's very simple, isn't it?

oh, well... sorry, not that simple, for all of you (sysadmin, especially) who have been playing with GSS and kerberos in java before, you know we need to do more things to configure the kerberos runtime environment. just like any other GSS app, you will need these things:
  • a JAAS login config file, say login.conf, normally look like
    com.sun.security.jgss.krb5.initiate {
      com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true;
    };
    attention: read the JAAS login entry carefully, there is a krb5 there, this is the new GSS entry name in mustang.
  • a krb5.conf file, normally looks like:
    [libdefaults]
        default_realm = ME.COM
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
        permitted_enctypes = rc4-hmac
    [realms]
        ME.COM = {
            kdc = kdc.me.com
        }
    
    the 3 enctypes lines are (maybe) needed, since that's the default enctype active directory is using and maybe not the one on your machine or VM.
ok, then you can just call
java -Djava.security.krb5.conf=krb5.conf \\
    -Djava.security.auth.login.config=login.conf \\
    -Djavax.security.auth.useSubjectCredsOnly=false \\
    YourClassName
to see the content of the file.

if you are not on a windows machine and want to run this example, please make sure you've called kinit before so that a credential cache is already stored somewhere on your system. of course, you can always ignore this step by providing the username and password inside the application (although this's somewhat contrary to the best feature that kerberos brings to us, the single sign-on). to do this, you need to change the value of doNotPrompt to false in the login.conf file and add a customized authenticator in your application, like this:
    static class MyAuthenticator extends Authenticator {
        public PasswordAuthentication getPasswordAuthentication() {
            return (new PasswordAuthentication("myname", "mypass".toCharArray()));
        }
    }
of course, i know you won't hardcode the pair inside your code like me. there are a lot of console or GUI ways to get them from the user. also, don't forget to call
Authenticator.setDefault(new MyAuthenticator());
before the URL fetching. only this will make your new authenticator usable in the system.

so, that's still very easy, isn't it?


for those of you who complains that this is only a windows feature, i must tell you the (almost) same authentication scheme is also available elsewhere, say, apache. read this article by wyllys to see the details.
Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog has a comments managing system that requires me to approve each comment manually. Please do not re-post and I will reply it (if I have an answer) when I get pinged.

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today